Mobile Threat Monday: Watch Out for Stealthy Trojans, Leaky Apps

This week's list of Android apps you probably don't want on your mobile device includes apps that collect your information and send them to remote servers. You may think leaking your email address is harmless—but you should at least be aware of what data these apps are sending out.

NQ Mobile had an interesting report out last week, where the company saw a "dramatic decrease in mobile malware infections" in the second quarter of 2013. The U.S. saw 63 percent less mobile malware infections in the second quarter, compared to the first quarter of 2013, according to NQ Mobile. This is a nice change from the sky is falling predictions about skyrocketing mobile malware.

Whether the numbers are going up or down doesn't really matter. You don't want malware on your device. Install a mobile security app to keep you safe and stay away from unofficial app stores. And watch out for the following dangerous Android apps.

Settings.apkEvery once in a while, we hear about an Android Trojan that is downright scary, and this malicious "System" app (com.android.system.admin) is one of them. This app is found on unofficial third-party marketplaces, but users can also get infected via a drive-by-download attack if they browse to a malicious Website from their Android devices, F-Secure said. If your device is paired to an infected Android device, you will likely get infected, too.

"While not very widespread, this Trojan is very complex and professionally built," Antti Tikkanen, F-Secure's director of security response, told SecurityWatch. Most of the victims are in Russia, but F-Secure has found samples in other countries.

When the user installs this application package, called "settings.apk," but listed on the marketplace as "System," the Trojan gains administrator access on the device. Since it runs in the background, users frequently have no idea that this package is running, and the app exploits an Android vulnerability to keep itself hidden.

Once in, attackers use the app as a backdoor and gain full remote access, which allows them to send text messages to premium SMS numbers or go to other websites to download and install additional malware. The Trojan also collects and transfers device information such as the MAC address, the carrier name, the device's IMEI number, and the full list of applications currently installed on the device. It also accesses the contacts list. F-Secure detects this Trojan as Android/Obad.A.

This is one of the reasons it pays to have a security app on your mobile device. This app is invisible to the user, so unless you have an app scanner, you will never know you've been infected. There are quite a few mobile scanners out there, including PCMag's Editor's Choice BitDefender Mobile Security and Antivirus.

Cambridge American IdiomThis dictionary app has been removed from Google Play, but is still available on quite a few marketplaces and Websites. BitDefender found that this app reads contact names and email addresses. It's not clear at this point why a dictionary would need to have that level of information.

The app also shares data with a third-party company called AppLovin and displays ads in the notification bar, although users have the option to opt-out of the ads from within the app.

Button Football (Soccer)BitDefender also flagged Button Football from developer Royal Apps because the app leaked the user's phone number. There are also reviews on Google Play warning that the app spammed users once installed. Users would see alerts, requests to sign out of services, icons for random Websites, and other spammy behavior.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »